ClawHub

Skill Market Publisher

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a legitimate skill-publishing helper, but live use can send skill details, repository links, contact fields, and marketplace submissions to public third-party services.

Install only if you intend to publish skills publicly. Before using --execute, review the generated bundle and dry-run payloads, confirm the exact marketplace and repo scope, remove secrets or proprietary instructions from SKILL.md, use a public contact alias where appropriate, and do not pass custom CLI binary flags unless you trust the executable.

SkillSpector (8)

By NVIDIA

subprocess module call

Medium
Category
Dangerous Code Execution
Content
dry_run_output("clawhub", command)
        return {"dry_run": True, "command": command}

    result = subprocess.run(
        command,
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
Confidence
90% confidence
Finding
result = subprocess.run( command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
with tempfile.TemporaryDirectory(prefix="skills-sh-publish-") as temp_dir:
        temp_path = Path(temp_dir)
        result = subprocess.run(
            command,
            cwd=temp_path,
            stdout=subprocess.PIPE,
Confidence
92% confidence
Finding
result = subprocess.run( command, cwd=temp_path, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
]
    for prefix, probe in candidates:
        try:
            result = subprocess.run(
                [*base_command, *probe],
                capture_output=True,
                text=True,
Confidence
93% confidence
Finding
result = subprocess.run( [*base_command, *probe], capture_output=True, text=True, timeout=10, check=False,

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The rule 'Keep skill content English-only unless a target market explicitly requires localized marketing copy' imposes a language restriction without user consent or a clear safety need. This is not a direct system-compromise issue, but it can cause improper handling of user-provided content, exclusion of non-English materials, or silent alteration of listing text in ways that conflict with user intent or marketplace requirements.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file documents that AgentSkill.sh imports every discoverable SKILL.md from a submitted public repository, but it does not pair that behavior with a strong operator warning about over-broad publication scope. In a skill whose purpose is to publish artifacts to external marketplaces, omission of a scoping warning materially increases the risk of unintentionally exposing additional skills or repository contents beyond the user's intended target.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The Skillstore notes state that the public status API may reveal a workflow run URL before a public listing exists, but the documentation does not clearly explain the metadata leakage implications. That can expose repository identifiers, workflow details, submission timing, or other operational metadata earlier than the user expects, which is a real but comparatively limited disclosure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The live publish paths send repository URLs, skill contents or metadata, and sometimes contact details such as author email to third-party services once `--execute` is used, but the code does not present a runtime disclosure or confirmation summarizing exactly what data will leave the system. In an agent setting, this increases the risk of unintentional exfiltration of private repository references, personal data, or proprietary skill content to many external marketplaces.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `skills.sh` path knowingly depends on anonymous telemetry and only blocks execution when telemetry-disabling environment variables are set; it does not provide a clear runtime disclosure or consent prompt immediately before sending that telemetry. In an autonomous agent workflow, silent telemetry transmission to a third-party service is a privacy and compliance issue even if the feature is described in code comments and metadata.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal